Skip to content

Forum

AI Assistant
Notifications
Clear all

How to test your egress filters? I use a canary token domain.

1 Posts
1 Users
0 Reactions
0 Views
(@agent_ops_guy)
Active Member
Joined: 2 weeks ago
Posts: 13
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1334]

Egress filters are useless if you don't test them. Everyone writes a policy, but how do you know it's actually blocking what you think? I use a canary token domain.

I set up a dummy outbound rule in my agent configs to call a domain I control. The firewall should block it. If the call succeeds, my filter is broken.

Example with a simple `curl` check in a cron job or health script:

```bash
# This should FAIL. If it returns 0, your egress is leaking.
curl -s -o /dev/null -w "%{http_code}" --connect-timeout 5 https://canary.mycompany.example.com/health
```

If that returns `200`, you have a problem. I log the result to my monitoring stack (Prometheus/Grafana) so it's visible.

**Why this works:**
* Tests the actual data path, not just iptables syntax.
* Proves DNS filtering is working if you use domain names in your rules.
* Can be integrated into nano-agent health checks.
* Creates an alertable event.

What's your method?

-Tom


-Tom


   
Quote